A war of words has broken out after researchers revealed zero-day vulnerabilities in FireEye and Kaspersky's security software during the US Labor Day holiday weekend - leaving the two firms scrambling to patch the problems.
In a tale of contrasting bug disclosures, British researcher Tavis Ormandy, now with the Google Project Zero bug hunting team in California, said on Saturday he had found a flaw in Kaspersky's anti-virus product that was “about as bad as it gets”.
Kaspersky quickly patched the “remote, zero interaction system exploit”, earning praise from Ormandy for rolling out a fix in less than 24 hours. But yesterday Ormandy dropped the bombshell that he had found more Kaspersky vulnerabilities, “many obviously exploitable”. As yet Kaspersky has not responded.
Meantime, Los Angeles-based information security consultant Kristian Hermansen ignited a row when he published details on Sunday of a bug in FireEye's Mandiant security software that could give unauthorised users root access to the file system – as yet unpatched.
Hermansen, working with researcher Ron Perris, said in his Exploit Database posting that this was one of “many handfuls” of FireEye/Mandiant zero-days. And he criticised the vendor's reaction to his findings by claiming he had been “sitting on this for more than 18 months with no fix from those security ‘experts' at FireEye”.
Hermansen also suggested the vulnerabilities might be ‘backdoors' deliberately inserted by the vendor: “Pretty sure Mandiant staff coded this and other bugs into the products,” he said, adding: “Why would you trust these people to have this device on your network?!?!?”
On his Twitter account, Hermansen even offered for sale the three FireEye zero-days he had not made public, describing them as a login bypass, and an unauthorised user and authorised user command injection remote root zero-days.
We asked FireEye to comment on his specific claims but it had not responded by time of writing. However, the company issued a statement criticising his ‘irresponsible' bug disclosure while promising a quick fix for the flaws.
It said: “FireEye learned of four potential security issues in our products from Kristian Hermansen's public disclosure of them being available for purchase. We appreciate the efforts of security researchers like Hermansen and Ron Perris to find potential security issues and help us improve our products, but always encourage responsible disclosure.
“FireEye has a documented policy for researchers to responsibly disclose and inform us of potential security issues. We have reached out to the researchers regarding these potential security issues in order to quickly determine, and potentially remediate, any impacts to the security of our platform and our customers.”
But Hermansen remained apparently unrepentant in statements attributed to him by CSO Magazine: "These issues need to be released because the platforms are wrought with vulnerabilities and the community needs to know, especially since these are Gov-approved Safe Harbor devices with glaring remote root vulnerabilities.
"No-one should be trusting these devices on their network if FireEye can't be bothered to fix the problems. As a security company, their standards should be higher."
He also focused on FireEye's lack of a bug bounty programme, saying: “They have been giving me lip service about implementing such a programme for more than a year. When they implement a bug bounty or security rewards process I will reply to them. Until then, they get cold silence.”
Commenting on the row, cyber-security expert Paco Hope, a principal consultant with Cigital, told SCMagazineUK.com that the issue of whether bug-bounty schemes are offered or not is crucial, but there is no easy answer.
“Firms who run a bug-bounty programme have an opportunity to set a bid price on vulnerabilities, but they must still contend with the ask price from researchers,” Hope said. “FireEye may be a bit late to the party, but-bug bounty programmes are not easy and they require risk-taking at a company level that the firm may not have been willing to accept.”
But Hope praised the response from Kaspersky, saying: “Kaspersky represents a mature process that was prepared in advance. They were only able to accept, respond and push out a security fix quickly because they already have a secure software development process in place.”
Amar Singh, chair of ISACA UK Security Advisory Group and founder of the Cyber Management Alliance, agreed the issue of bug bounties is complex.
He told SCMagazineUK.com via email: “There are pros and cons to bug-bounty - a researcher may get greedy and demand more but overall I am in support of paying out bug-bounties. In the case of the researcher publishing the actual exploit code, it could be seen as wrong. But on the other hand, at least they are making it public - possibly to force the vendor to clean up their act.”
Singh added: “We should expect that vendors take accountability and the responsibility to ensure that they timely fix vulnerabilities as they are made aware of them. There is simply no excuse for a vendor to sit on an exploit, whatever the reason.
“In this case, kudos to Kaspersky for responding within 24 hours. That's what I would expect from a responsible vendor. On the other hand, I don't agree with the approach of the other vendor in this case.”
Kaspersky issued a statement saying: "We would like to thank Tavis Ormandy for reporting to us a buffer overflow vulnerability, which our specialists fixed within 24 hours of its disclosure. A fix has already been distributed via automatic updates to all our clients and customers.”